Tech by VICE

Correction: WannaCry Ransomware That Struck the Globe Isn't Back, Yet

The ransomware samples without the kill switch do not pose the same threat to the public

by Joseph Cox
May 13 2017, 9:49pm

Image: Shutterstock

Correction: This piece was based on the premise that a new piece of WannaCry ransomware spread in the same manner as the one that was responsible for widespread attacks on Friday, and that it did not contain a so-called kill switch. However, after the publication of this article one of the researchers making this claim, Costin Raiu, director of global research and analysis team at Kaspersky Lab, realized that was not the case. The ransomware samples without the kill switch did not proliferate in the same manner, and so did not pose the same threat to the public. Motherboard regrets the error.

The original article follows below:

On Friday, a variation of the WannaCry ransomware ripped across the globe, infecting UK hospitals, a Spanish telecom company, and companies in various other sectors. After several hours, the attack was suddenly blocked from spreading much further when a security researcher registered a domain which ordered the malware to stop infecting new machines.

But, as many expected, that was only a temporary fix. Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.

On Friday, the researcher known as MalwareTech dug through the WannaCry variant used in the recent global attack and found an unregistered domain nestled in its code; a URL that the hackers seemingly used for testing purposes, or purposefully put in so they could remotely disable their malware. As it turned out, the malware was made in such a way that before every infection it would try to call out to this domain. If there wasn't a response, it would go ahead and lock down the victim machine with ransomware. But if the domain was up and running, as it was after MalwareTech registered it, the malware would stop in its tracks.

As he explained in a blog post, MalwareTech originally decided to register the domain himself in an attempt to sinkhole the malware; that is, take control of the hacker's domain, and use it to gather information about the attack.

But with other versions of WannaCry, that domain is irrelevant. If a hacker decides to launch another attack, they may be successful at infecting new machines.

The recent WannaCry variants take advantage of vulnerabilities that relate to exploits dumped by the group known as The Shadow Brokers earlier this year. Those exploits allegedly originate from the NSA, and Microsoft patched the relevant security issues for modern machines in March.

However, plenty of organisations still run legacy operating systems such as Windows XP, including the UK's National Health Service, which has already faced myriad WannaCry infections.

Late on Friday, Microsoft took the highly unusual step of pushing out a free patch for generally unsupported operating systems such as Windows XP Server 2003. CCN-CERT, the Spanish computer emergency response team, released its own tool that it says will stop WannaCry from infecting machines.

So, even though the first large wave of WannaCry may have halted, if organizations don't patch or take other mitigations, there's a chance it could just happen again.

Update: Originally, this piece included quotes from a second security researcher who tweeted he had found samples without the so-called killswitch. The researcher has since deleted those tweets and Motherboard has removed them from the article. Another researcher confirmed they have seen samples of the malware without the killswitch.

Shadow Brokers